2FA – Frequently asked questions

Authentication is a process by which a person or computer proves they are who they claim to be. An example is a person signing in to a web site by providing their UW NetID and password.

Two-factor, also called 2FA, adds a second layer of security when signing in. The UW uses Duo for 2FA. Normally, you verify your identity with a single factor, such as a password, which is something you know. Verifying your identity using a second factor, like a smartphone or hardware token, which is something you have, prevents others from signing in as you, even if they know your password.

At the UW, two-factor authentication is used to secure applications that have sensitive institutional data to reduce the risk that this data will get compromised. Guidelines governing the use of technical controls to ensure the security of UW data come from UW Administrative Policy statements including APS 2.4.

We use a service called Duo to perform two-factor authentication. This service can use a smartphone app, a phone call, or a hardware token as a second factor to authenticate you. Most people use Duo via the smartphone app, Duo Mobile, which runs on a variety of smartphones and tablets and is simple to use.

Many systems with sensitive data require 2FA, including UW administrative systems, Hyak, and Workday. Additionally staff, faculty, and students are required to use 2FA.

Eligibility for 2FA is based on your affiliation with the UW, or rare case-by-case authorizations when no other alternative exists.

Learn more about 2FA eligibility.

Passwords can often be stolen, guessed or hacked, and you may not even realize your password has been compromised. With two-factor authentication protected services, a compromised password won’t mean a compromised account.

UW has used 2FA for secure access to specific systems since the late 1980s. Previous 2FA solutions included SecurID (late 1980s to 2011) and Entrust (2008 to 2017).

• Easily reduce the number of times you are prompted to sign in with your 2FA device by clicking “Yes, this is my device” option on personal devices or on other non-shared computers that you regularly use and trust. This “Remember me” cookie tells your browser to remember that you have confirmed your identity using your 2FA device. If you select this option, you won’t have to use your 2FA device as often with that browser. 
• Microsoft similarly offers “Stay signed in” for UW Azure AD; read more about this option to reduce 2FA/Duo prompts.

Instructions for installing Duo depend on what device you are going to use as your second factor:

• Smartphone or tablet: Smartphones and tablets are able to use the Duo Mobile app for authentication. Refer to Set up a smartphone or tablet.
• Mobile phone or landline: Phones can also be used via the “call me” authentication method. Refer to Set up a mobile phone or landline.
• Token: Hardware tokens are small security devices that support 2FA. Refer to Hardware tokens.

Yes.

The enrollment process should take no longer than 5 to 10 minutes for first-time users. If you are planning on using the free Duo Mobile application, we suggest you install that on your smartphone or tablet now so that enrollment will be simpler.

A single sign-on session for access to web-based applications is designed to last 8-12 hours. However, individual applications can be configured independently and you may have to sign in to some applications more often than others. If you quit your browser, you will be required to sign in again.

To use Duo two-factor authentication, you will need either a smartphone or tablet that can run the Duo Mobile application, or a phone capable of receiving a voice call.

Signing into a web application protected by Duo requires a modern web browser with JavaScript enabled. Supported are Google Chrome, Mozilla Firefox, Safari, Edge, Opera or Internet Explorer (IE). For IE, version 11 or later is required.

To use the preferred Duo Push method of authentication, a smartphone or tablet with the Duo Mobile app installed is required. The most recent versions of operating systems are supported; older versions of Android and Apple operating systems may no longer be supported.

If you do not have a device capable of installing the Duo Mobile application, you can enroll a phone number that can receive a voice call to authenticate you.

If you are not able to use any phone-based authentication method, Duo also supports hardware tokens. Then, instead of relying on a phone, you can use the physical token that you would need to personally have in your possession. Learn more about hardware tokens.

Android: Launch the Play Store app and search for “Duo Mobile”. Choose the Duo Mobile app from Duo Security, Inc., (not Google Duo). Download and install the application.

iOS: Launch the App Store app and search for “Duo Mobile”. Choose the Duo Mobile app from Duo Security, Inc. (not Google Duo.) Download and install the application.

Other smartphone platforms: Search for “Duo Mobile” from Duo Security, Inc. in your device’s application store.

Duo Mobile only​ needs permission to use your camera when you set up your smartphone or tablet. It only uses your camera to scan the Quick Response (QR) code used for activation. After activation, Duo Mobile doesn’t access your camera. You can remove this permission and Duo Mobile will work fine.

If you get a new phone (or tablet) you will need to configure the Duo Mobile application on your new device, as it will not work automatically even if your old device had Duo installed.

• If you are keeping your same phone number, then you can use the “call me” method of authentication. Go to Identity Provider, 2FA tab, and add a new device via “Manage 2FA devices.” Once authenticated, you can select  “Add a new device” or “Reactivate Duo Mobile.” Get details at Set up a smartphone or tablet. You can read more at Set up a replacement device for 2FA.
• If you are not keeping your old phone number, you will either need to use your old phone for authentication or call the UW-IT Service Center at 206-221-5000, option 1, to get a temporary passcode. Once authenticated, you can enroll your device as above. Get details at Set up a smartphone or tablet.  You can read more at Set up a replacement device for 2FA.

A passcode is a code that can be generated from the Duo Mobile app or a hardware token. You may also get a ‘temporary bypass code’ from the UW-IT Service Center that will be a passcode you can use to sign in to the Duo authentication prompt. To sign in with a passcode, simply type the code you were given from the device or the UW-IT Service Center into the ‘Enter a passcode’ or ‘Enter a temporary bypass code’ prompt when you need to sign in with Duo.

Duo has documented the steps they have taken for accessibility at https://duo.com/docs/accessibility. 

The Duo prompt iframe has been designed by Duo to be more accessible including supporting most screen readers. A default authentication method can also be set to avoid having to select an authentication method. 

For authentication methods the Duo Mobile application which can be used as a form of authentication is reported by Duo to work with smartphone accessibility technologies. The App can be used for “pushes” which is a prompt on the smartphone, or for generating a passcode. 

Additionally with a phone based authentication method, the “call me” option can be easier to use, as this method requires answering a phone call. 

Finally there do exist physical tokens that are not dependent on reading a passcode off of them. UW offers Hardware tokens, and supports personal hardware tokens that may be a better fit for accessibility like Yubikeys.

A passcode can be generated on the Duo Mobile application by tapping the bar containing ‘University of Washington’ inside the Duo Mobile application. You should then be shown a set of numbers which can be used to sign in at the Duo authentication prompt. 

You also can generate a passcode with the Duo Mobile application even if your phone is not connected to the internet. Fortunately,  generating a passcode with the app doesn’t use any data or minutes on your cell phone plan.

It’s important to understand and set up alternative methods of authentication that are available when you’re not connected:

• What if I have no service?: 
  • When you can, use the internet! Your Duo Mobile app can be used to approve authentications via the “Duo Push” method, even when you don’t have service. This is helpful when the building you are in blocks service or you are traveling but find wi-fi.
• What if I have no internet? 
  • Use passcodes on your Duo-enabled device! Your Duo Mobile app can be used to generate passcodes while not connected. Go to “Sign in with 2FA” near the bottom of the main 2FA page for more information. See the above question for more details
• Token: 
  • Hardware tokens are small security devices that support 2FA. They are another great resource when you are expecting to encounter trouble with other authentication methods. Refer to Hardware tokens.
• Security key: 
  • You can set up a security key (also known as Universal 2nd Factor, or U2F) device for Duo 2FA at UW. Refer to Set up a security key.
• Another phone: 
  • You can use a different phone as your alternative. Refer to Set up a mobile phone or landline.

While traveling requires extra planning, Duo should be a part of the plans. Many of the same alternative authentication methods detailed in the section above, “What can I do if I am offline or out of cellular service?” can be your solution for travel. Taking a minute to determine how you plan to use Duo will save yourself a headache in the future.

If you are traveling internationally, please check if your destination allows Duo. Refer to the section “Can I use Duo while outside of the United States?” for more details.

Yes, more than one person can set up and use the same landline. The first person to do so can follow the instructions to set up a landline. The steps are a bit different for the next person to set up the same landline. Namely, when they enter the phone number for the landline, they’ll have to confirm they can receive a callback during the set up process. If they can, then it will be added. This is true for anyone else who tries to enroll the same landline.

Do NOT approve Duo Mobile push notifications or Duo phone calls that you didn’t initiate yourself. They may be fraudulent, unauthorized attempts to sign in as you. Only approve 2FA requests you initiate yourself, knowingly and intentionally. To learn more refer to reporting fraudulent 2FA requests.

While most devices and sign-in options may be used outside the United States, it is important to enroll the device(s) ahead of your travel time.

• If you’ll have reliable internet access on your device while abroad, Duo Mobile and its “Send Me a Push” option for signing in will work normally.
• If you won’t have internet access on your device, Duo Mobile can operate while offline using the “Enter a Passcode” options; follow the steps above to generate a passcode when you need to sign in. A hardware token will also work offline but, since it is a physical device, it is best to obtain the hard token before you begin travel. Refer to hardware tokens to learn more.
• Please note the “Call Me” option only works with phone numbers in the US (and parts of Canada). If you want to use this option, you must enroll in Duo using a US phone number and be able to receive calls to this number while abroad.
• Lastly, the following regions are affected by Duo OFAC restrictions and will block authentication attempts. If you are traveling to one of these regions, please contact UW-IT at help@uw.edu.

Impacted countries or regions:

• Cuba (CU)
• North Korea (KP)
• Iran (IR)
• Sudan (SD)
• Syria (SY)
• Crimea region (43)
• Donetsk region (14)
• Luhansk region (09)
• Sevastopol region (40)

Yes, definitely. The University values personal choice and recognizes the convenience of using a personal device for 2FA.

Yes, again. Employees can use a personal device for 2FA, even for University business. A personal device enables safe and convenient two-factor authentication to systems used to conduct University business. From a cost and risk perspective, it’s often more effective than other 2FA options (such as landlines and hardware tokens). “Bring your own device” (BYOD) is a common operational model that acknowledges trends in society toward use of personal devices for user authentication.

If you use Duo Mobile, there is no data stored on your smartphone or tablet. Period. We recommend use of Duo Mobile because it’s simple and secure, and one of the reasons for this is it creates no records on your personal device.

If  you receive phone callbacks, there is no data on your phone and you can delete the metadata from your phone’s history of recent incoming calls because it’s transitory and the administrative purpose is fulfilled as soon as you’ve completed the call.

In each case, the result is the same: no data related to 2FA on your device that’s subject to disclosure.

Yes. Using a personal device for 2FA comes with the obligation to take reasonable precaution to protect it. Such precautions normally include the use of a password or a PIN to unlock the phone, as well as maintaining current versions of your phone’s operating system and Duo Mobile.

Yes. UW-IT will provide a hardware token if you need one. Or you can register your own, if it’s compatible. To learn more, refer to hardware tokens.

Hardware Token Request Form

A U2F (Universal 2nd Factor) token is a “security key” (cryptographic hardware token) that plugs into your computer’s USB port and supports the U2F authentication protocol. The U2F protocol requires a supported web browser, so it can only be used for 2FA to web applications. U2F tokens have excellent usability and provide the highest security.

UW-IT does not provide U2F tokens, but if you obtain one, you can set up your U2F device to work with Duo at the UW.

If your primary 2FA and back-up method(s) fail, contact the UW-IT Service Center for a temporary bypass code. A support person will verify your identity and provide a temporary bypass code that authorizes your UW NetID and password access. This temporary bypass code will act as the critical second step for authentication. 

Phone:  (206) 221-5000 |  Email: help@uw.edu 

Visit the Lost or stolen 2FA device page on IT Connect for detailed information. Note that if you set up more than one 2FA device, you can use your available 2FA device to remove your lost or stolen device; go to the 2FA tab.

It is possible to integrate Duo 2FA to protect applications that integrate with our single sign-on (SSO) services and on departmental servers and applications, if certain conditions are met. To learn more, refer to Add 2FA to your IT system.